IETF Logo Mail Archive

Re: [Rift] Initial implementation of security in RIFT-Python is complete

Tony Przygienda <tonysietf@gmail.com> Fri, 26 April 2019 03:15 UTC

Return-Path: <tonysietf@gmail.com>
X-Original-To: rift@ietfa.amsl.com
Delivered-To: rift@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C58512004B for <rift@ietfa.amsl.com>; Thu, 25 Apr 2019 20:15:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HG1DOZUZMK-P for <rift@ietfa.amsl.com>; Thu, 25 Apr 2019 20:15:51 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53FE01200B4 for <rift@ietf.org>; Thu, 25 Apr 2019 20:15:51 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id u57so1915742edm.3 for <rift@ietf.org>; Thu, 25 Apr 2019 20:15:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LX7ajaYG6paIoaGHkTr9hz2fAaYRmReKJSa6EMdiHh4=; b=auw9vkRK1jgJL4GaZEGsodu43SiUk77pp+sjeNh67vElnAu8o0Gu3h874klqTu/bEl /seTyPjl7xV1c63/Wn9ShM5vN2IuhXlwnoE1Av9lpea4MOFBKz40OFf8ZckGYv8g4YDI rGr4+rb72VFsJHGLE5Tw+yjcUrgr13fqFhvWNsU38VICXVGKb6giqC1G9ET/K0yRvvSu KELE0S2JXB7OMX3Mjy8aGVUMSN+8eCeG6r+jCEfhEF5/iGPBSjdPyg9EWo0MWQFx/NXU YYVi+fgKFkvDE8wcuD/ce/snOLvyLDo5ogGmMMBJGHgbsaWlsxGEKj8HvSXr8t/bl/OW O16w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LX7ajaYG6paIoaGHkTr9hz2fAaYRmReKJSa6EMdiHh4=; b=M0+OjAdAI/4AVfKFeTlob7zL3A6U5SdhxueM5n1pZbloNmOrwXvWn84zynvyzSXAJr DaCoCnJDvhv7eqJQkALLZ3cb6v8wV2V39haZvO8ES5o8LkDm7MHBHC2RkfzbvoBuXn8n cj+FG8g7nxfkZqj99PUaLi+o5BM7s94WMQYcaXcSp4jYxr0KWMtGIdKp0KjEYQU+xbt7 ErLP3CrdqCx9FQ9T/VobqRIBtjmM5SM1XAzFA1HNFQQCX1cRQAlyDmZrS3Q/6PCgU6qj t+4r/WYCWpEC2/+qJVQC6OmyvYaGQq6mjC97zf7uywO5VXHzsFoy1XDW1F/QmSD0ia1A YkmQ==
X-Gm-Message-State: APjAAAVQnJIfmv/DWYBBxCmp2g4ljJur52ukmKG364Qyv5rghYDd7aMr sag5UT6+k+3kAZGa3gsknUv+FllP4f3PqylPCxc=
X-Google-Smtp-Source: APXvYqxutDY/Cdm8FfXow8ZdRDDPsdAQdp+v3FlQnd6hL7vMCvwzlfv1Tm5DACzb7xELinp0RD8k/d7lr1gBV7qALcI=
X-Received: by 2002:a50:ca0a:: with SMTP id d10mr26649181edi.140.1556248549891; Thu, 25 Apr 2019 20:15:49 -0700 (PDT)
MIME-Version: 1.0
References: <B2545DF8-1C4C-4B97-8CEE-4D5EDCF2EB8D@gmail.com> <MWHPR05MB3279AB3BE295959AD2AF1BADAC3C0@MWHPR05MB3279.namprd05.prod.outlook.com>
In-Reply-To: <MWHPR05MB3279AB3BE295959AD2AF1BADAC3C0@MWHPR05MB3279.namprd05.prod.outlook.com>
From: Tony Przygienda <tonysietf@gmail.com>
Date: Thu, 25 Apr 2019 20:15:12 -0700
Message-ID: <CA+wi2hNJ=fGWjySnO-qwo5dj0ajgkTiFQn+HEs-MWnPCDHKGzA@mail.gmail.com>
To: Antoni Przygienda <prz=40juniper.net@dmarc.ietf.org>
Cc: Bruno Rijsman <brunorijsman@gmail.com>, "rift@ietf.org" <rift@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ffa1150587665908"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rift/UOj4epydyXVB6BtrwDAAeqXjcu4>
Subject: Re: [Rift] Initial implementation of security in RIFT-Python is complete
X-BeenThere: rift@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Routing in Fat Trees <rift.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rift>, <mailto:rift-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rift/>
List-Post: <mailto:rift@ietf.org>
List-Help: <mailto:rift-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rift>, <mailto:rift-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Apr 2019 03:15:54 -0000

Ok, I looked over the stuff in more detail again and I see that the yaml
schema is only a limited security model and would hence like to extend it a
bit. Let me know what you think

At the top I'd like to add private-secret to support private/public key and
not only shared

{?} keys:
    {+} - id: <24-bit key number>
    {1}   algorithm: [hmac-sha-256]
    {1}   secret: <string>
    {?}   private-secret: <string>



*under -name (i.e. per node) it would be good to have *

{?}      tie_validation: [none|permissive|loose|strict]


to support testing of the common models of processing of signatures

Then under interface we'd need

{?}           active_key: <8-bit key number>
{?}           accept_keys: <set of 8-bit key number>
{?}           lie_validation: [none|permissive|loose|strict]  (6)


so we can test mix of interfaces using different keys and not using them ta
all (we can share the global keys for that purpose since it's simpler but
can only use the 8-bit IDs)

--- tony

On Wed, Apr 24, 2019 at 10:47 AM Antoni Przygienda <prz=
40juniper.net@dmarc.ietf.org> wrote:

> read your guide in detail. makes all perfect sense. will extend schema to
> what you suggest so inter'op ...
>
> thanks
>
> --- tony
>
> ------------------------------
> *From:* Bruno Rijsman <brunorijsman@gmail.com>
> *Sent:* Monday, April 22, 2019 4:16 PM
> *To:* rift@ietf.org
> *Subject:* Initial implementation of security in RIFT-Python is complete
>
> I have finished the initial implementation of security in
> RIFT-Python (security envelope, keys, fingerprints, nonces, packet-nr, etc.
> etc.)
>
> See http://bit.ly/rift-python-security-feature-guide
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__bit.ly_rift-2Dpython-2Dsecurity-2Dfeature-2Dguide&d=DwMCAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=maKXfKzgRTpiLitqHnJiww&m=htkOLD_Mz6ekfr_iYDTC5Q7xzPbroaycphOlQuwgDAg&s=t-P4E1fGgdJ6fiTwi2uXPbhcMxKse2r47pppAq8EO_I&e=> for
> a detailed feature guide.
>
> While implementing the code, I gathered a number of comments on the
> security section of the draft -05. I will report these in a follow-up
> e-mail.
>
> -- Bruno
> _______________________________________________
> RIFT mailing list
> RIFT@ietf.org
> https://www.ietf.org/mailman/listinfo/rift
>

v2.23.0 | Report a Bug | By Email